Java updated last week, still vulnerable today

Oracle’s Java platform seems to be in an endless battle with Adobe Flash to see which can take the crown as the most compromised platform on your computer. Last week Oracle rolled out 42 patches for known security holes — and this was just another day for the oft-attacked software.

Now Security Explorations of Poland has announced it has found a new Reflection API vulnerability that affects all Java versions, including 7u21, which was just released last Tuesday. “It can be used to achieve a complete Java security sandbox bypass on a target system,” Gowdiak wrote on the Full Disclosure mailing list on Monday.

Attackers can exploit this latest vulnerability to achieve a complete Java security sandbox escape, Gowdiak says, adding that he also sent proof-of-concept code to Oracle demonstrating an exploit.

There is no telling when Oracle will patch this latest flaw, but the company generally follows a Microsoft-like approach, rolling out updates in one big release.

Really, the best solution is to simply uninstall Java if you have no need for the service. Also, do not confuse Java with Javascript, which is mostly safe. Java can also be disabled within your browser — a move I recommend you making.